Computer program, method, and system for preventing execution of viruses and malware

ABSTRACT

Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications and terminating execution of any application not on the inventory recordation while in a protected mode. An instantaneous and unprompted inventory recordation known as a “snapshot” can be performed by the computer program. A user may further train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode can be activated. A smart icon graphical user interface is utilized, that automatically toggles between locked and unlocked depending on if the computing device is at risk or not, to place the computing device in a protected or unprotected mode.

RELATED APPLICATIONS

This patent application is a continuation of, and claims prioritybenefit to, U.S. patent application Ser. No. 14/187,007, filed on Feb.21, 2014 sharing the same title, which is a continuation of U.S. patentapplication Ser. No. 14/171,361, filed on Feb. 3, 2014, and entitled“COMPUTER PROGRAM, METHOD, AND SYSTEM FOR PREVENTING EXECUTION OFVIRUSES AND MALWARE.” The Ser. No. 14/171,361 patent application is acontinuation application of earlier-filed U.S. patent application Ser.No. 13/479,044, filed on May 23, 2012, and entitled “COMPUTER PROGRAM,METHOD, AND SYSTEM FOR PREVENTING EXECUTION OF VIRUSES AND MALWARE.” TheSer. No. 13/479,044 patent application is a non-provisional, and claimspriority benefit with regard to all common subject matter, of U.S.Provisional Patent Application No. 61/543,068, filed Oct. 4, 2011, andentitled “COMPUTER PROGRAM AND METHOD FOR PREVENTION OF INFECTION OREXECUTION OF VIRUSES AND MALWARE,” and U.S. Provisional PatentApplication No. 61/493,166, filed Jun. 3, 2011, and entitled “COMPUTERPROGRAM AND METHOD FOR PREVENTION OF INFECTION OR EXECUTION OF VIRUSESAND MALWARE.” The identified earlier-filed non-provisional andprovisional patent applications are hereby incorporated by reference intheir entirety into the present application.

BACKGROUND

1. Field

Embodiments of the present invention provide a computer program, amethod, and a system for prevention of infection or execution of virusesand malware on a computing device. More particularly, embodiments of thepresent invention prohibit infection or execution of all newapplications or processes while a protected mode of the computer programof the present invention is activated.

2. Related Art

Infection of a computing device by a virus or item of malware is asignificant problem for many computer users. Malfeasants initiating thevirus/malware are skilled at cloaking the virus as a legitimateapplication, such that many computer users unknowingly allow executionof the virus on the user's computing device. To combat this problem,there are many types of virus/malware prevention computer programs. Afirst type of program attempts to track each new virus/malware, comparean application to be executed against a list of known viruses and itemsof malware, and block any application that matches the listing of knownviruses and malware. This method of virus prevention has manydetractions, however. For example, literally multiple thousands ofviruses are known on any given day, and every day more viruses are addedto the “virus list.” The upkeep of the virus list requires daily, if nothourly, monitoring and updating. Additionally, the processing time tocompare an application attempting to execute on the user's computingdevice to the “virus list” is time consuming, as the list is usuallyvery extensive. Thus, the processing time employed by the computingdevice's CPU and the memory and hard drive utilization are relativelylarger for lengthy lists of viruses. Additionally, these virusprevention methods require scanning and filtering through numerous knownviruses, which increases processing time and hard drive utilization.

A second type of virus/malware prevention approaches the problem bymaintaining a whitelist of legitimate (i.e., non-virus) applications.Similar to the above example, any new application attempting to beexecuted is compared to the applications on the whitelist. If there is amatch, then the application is allowed to execute. Although thewhitelist of legitimate applications is not as numerous as the “viruslist” described above, the whitelist is usually still several thousandapplications, and more applications are routinely added. Because thewhitelist is a universal whitelist for all computer users, if aparticular computer user accesses a little known application, then theapplication may not be on the whitelist, even if it is legitimate. Theuser must then request the application be specifically executed via aseries of advanced steps, and such selection of the advanced steps mustbe undertaken each time the application is accessed.

Accordingly, there is a need for a computer program, a method, and asystem that prevents execution of a virus or item of malware quickly,without using significant computer resources, that is easy for theaverage computer user to use, and that is unobtrusive and does notinterfere with the user's use of the computing device.

SUMMARY

Embodiments of the present invention solve the above-mentioned problemsand provide a computer program, a method, and a system for prevention ofinfection or execution of viruses and malware on a computing device.Embodiments of the present invention advantageously kill, block, anddeny from running or being executed unwanted or malicious computer codeby having no exception to what applications may be executed while thecomputer program is in an activated protected mode. In particular, whilethe protected mode is activated, no application may be executed unlessit is listed on an inventory recordation personal to the user, whereinthe inventory recordation lists information uniquely identifying aplurality of legitimate applications.

The user may activate a training mode during which the user may trainthe computer program as to which legitimate applications the userroutinely accesses. The computer program then compiles the inventoryrecordation that is personal to the user, as the inventory recordationlists applications accessed by the user during the training mode. Thus,the inventory recordation of embodiments of the present invention is nota universal whitelist intending to list all legitimate applications forall users, but is instead a listing of applications that are, at leastin part, selected by each particular user and based off of and a resultof the user's use of the computing device and accessed applications.Because the inventory recordation is personal to the user, the list oflegitimate applications on the inventory recordation is substantiallyshorter than prior art “whitelisting” methods.

The computer program and method of embodiments of the present inventioncomprise the initial step of compiling the inventory recordationpersonal to the user by (1) receiving an instruction from the user toselectively activate the training mode, (2) receiving informationidentifying at least one application requested by the user to beexecuted by the computing device, and (3) updating the inventoryrecordation to include the information identifying the requestedapplication, such that at least one application identified on theinventory recordation directly results from the user's instruction toexecute the application during the training mode. After compiling theinventory recordation personal to the user, the computer program andmethod of embodiments of the present invention broadly comprise thesteps of activating the protected mode, such that upon activation of theprotected mode, the training mode is automatically deactivated;receiving, while the protected mode is activated, information indicativeof an attempt by the user to execute an unconfirmed application, whereinthe information indicative of an attempt by the user to execute anunconfirmed application includes information identifying the unconfirmedapplication; comparing the information identifying the unconfirmedapplication with information identifying the listing of applications onthe inventory recordation that are approved for execution; identifyingthe unconfirmed application as an application approved for execution ifthe information identifying the unconfirmed application matches withinformation identifying an application on the inventory recordation; andidentifying the unconfirmed application as an application not approvedfor execution if the information identifying the unconfirmed applicationdoes not match with information identifying an application on theinventory recordation.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the detaileddescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter. Other aspectsand advantages of the present invention will be apparent from thefollowing detailed description of the embodiments and the accompanyingdrawing figures.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

Embodiments of the present invention are described in detail below withreference to the attached drawing figures, wherein:

FIG. 1 is a schematic depiction of a system for prevention of executionof viruses and malware on a computing device constructed in accordancewith various embodiments of the present invention;

FIG. 2 is a flow chart of a method of prevention of execution of virusesand malware on a computing device;

FIG. 3 is a first screen capture of the computer program of embodimentsof the present invention and illustrating an inventory recordation and,in particular, exemplary administrator applications;

FIG. 4 is a second screen capture of the computer program of embodimentsof the present invention and illustrating the computer program in atraining mode;

FIG. 5 is a third screen capture of the computer program of embodimentsof the present invention and illustrating the computer program in aprotected mode (indicated as “ON”);

FIG. 6 is a fourth screen capture of the computer program of embodimentsof the present invention and illustrating a menu of user-selectableoperations for instructing the computer program;

FIG. 7 is a fifth screen capture of the computer program of embodimentsof the present invention and illustrating a user option menu providing aplurality of user-selectable options for the operations of the computerprogram; and

FIG. 8 is a sixth screen capture of the computer program of embodimentsof the present invention and illustrating a notification by the computerprogram of the blocking of an application attempted to be executed bythe user.

The drawing figures do not limit the present invention to the specificembodiments disclosed and described herein. The drawings are notnecessarily to scale, emphasis instead being placed upon clearlyillustrating the principles of the invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

The following detailed description of the invention references theaccompanying drawings that illustrate specific embodiments in which theinvention can be practiced. The embodiments are intended to describeaspects of the invention in sufficient detail to enable those skilled inthe art to practice the invention. Other embodiments can be utilized andchanges can be made without departing from the scope of the presentinvention. The following detailed description is, therefore, not to betaken in a limiting sense. The scope of the present invention is definedonly by the appended claims, along with the full scope of equivalents towhich such claims are entitled.

In this description, references to “one embodiment,” “an embodiment,” or“embodiments” mean that the feature or features being referred to areincluded in at least one embodiment of the technology. Separatereferences to “one embodiment,” “an embodiment,” or “embodiments” inthis description do not necessarily refer to the same embodiment and arealso not mutually exclusive unless so stated and/or except as will bereadily apparent to those skilled in the art from the description. Forexample, a feature, structure, act, etc. described in one embodiment mayalso be included in other embodiments, but is not necessarily included.Thus, the present technology can include a variety of combinationsand/or integrations of the embodiments described herein.

The present invention provides various embodiments of a computerprogram, a method, and a virus and malware prevention system 10. Theinvention prevents execution of any application by an operating systemof a computing device that is not identified on an inventory recordationlisting legitimate applications. In embodiments of the presentinvention, at least a plurality of the applications identified on theinventory recordation is personal to either or both of the computingdevice or a logged user of the computing device, such as when the usergains access to the computing device via a username and password orother “logging in” or authentication feature. An “application” as usedherein is defined as any process, program, or application that can be oris executed by the computing device, and similarly, reference herein toa “process” should be considered to include applications.

As detailed below, the computer program of embodiments of the presentinvention comprises a plurality of codes segments executable by thecomputing device for performing the steps of the method of the presentinvention. The steps of the method may be performed in the order shownin FIG. 2, or they may be performed in a different order. Furthermore,some steps may be performed concurrently as opposed to sequentially.Also, some steps may be optional.

The user of the present invention can selectively activate a programmode for desired operational features. The present invention includes atleast two programs modes, namely a training mode and a protected mode,wherein there are two variations of the protected mode. In furtherembodiments of the present invention, a third program mode, referred toas an off mode, may also be activated by the user.

Depending on the activated program mode and/or also whether anapplication is on the inventory recordation, the computer program of thepresent invention either instructs the operating system to denyexecution of the application or otherwise does not prevent or interferewith execution of the application. Thus, it should be understood andappreciated that the computer program does not actually execute anyparticular application; instead, the operating system of the computingdevice executes the application. Reference to the computer program ofthe present invention executing an application or allowing execution ofan application is intended to encompass the computer program notinstructing the operating system to terminate execution of a particularapplication.

The computer program and method of embodiments of the present inventioncomprise the initial step of compiling the inventory recordationpersonal to the user by (1) receiving an instruction from the user toselectively activate the training mode (2) receiving informationidentifying at least one application requested by the user to beexecuted by the computing device, and (3) updating the inventoryrecordation to include the information identifying the requestedapplication, such that at least one application identified on theinventory recordation directly results from the user's instruction toexecute the application during the training mode. After compiling theinventory recordation personal to the user, the computer program andmethod of embodiments of the present invention broadly comprise thesteps of activating the protected mode, such that upon activation of theprotected mode, the training mode is automatically deactivated;receiving, while the protected mode is activated, information indicativeof an attempt by the user to execute an unconfirmed application, whereinthe information indicative of an attempt by the user to execute anunconfirmed application includes information identifying the unconfirmedapplication; comparing the information identifying the unconfirmedapplication with information identifying the listing of applications onthe inventory recordation that are approved for execution; identifyingthe unconfirmed application as an application approved for execution ifthe information identifying the unconfirmed application matches withinformation identifying an application on the inventory recordation; andidentifying the unconfirmed application as an application not approvedfor execution if the information identifying the unconfirmed applicationdoes not match with information identifying an application on theinventory recordation.

Hardware Description

The computer program and the method of embodiments of the presentinvention may be implemented in hardware, software, firmware, orcombinations thereof using the virus and malware prevention system 10,shown in FIG. 1, which broadly comprises server devices 12, computingdevices 14, and a communications network 16. The server devices 12 mayinclude computing devices that provide access to one or more generalcomputing resources, such as Internet services, electronic mailservices, data transfer services, and the like. The server devices 12may also provide access to databases storing each user's or computingdevice's inventory recordation. The computing device may include anydevice, component, or equipment with a processing element and associatedmemory elements. The processing element may implement operating systems,and may be capable of executing the computer program, which is alsogenerally known as instructions, commands, software code, executables,applications, apps, and the like. The computer program may bemultiplatform and may be installed on any computing device or processingelement. The platforms include, but are not limited to: MicrosoftWindows, Mac OS, Mac iOS (iPhone and iPad), Java ME, Linux, GoogleAndroid, Symbian, BlackBerry, Windows Mobile, Playstation, BREW,FreeBSD, Nintendo Wii, SunOS, Nintendo DS, Palm, Web TV, OpenBSD,NetBSD, AIX, SCP, HP-UX, OpenVMS, and SCO.

The processing element may include processors, microprocessors,microcontrollers, field programmable gate arrays, and the like, orcombinations thereof. The memory elements may be capable of storing orretaining the computer program and may also store data, typically binarydata, including text, databases, graphics, audio, video, combinationsthereof, and the like. The memory elements may also be known as a“computer-readable storage medium” and may include random access memory(RAM), read only memory (ROM), flash drive memory, floppy disks, harddisk drives, optical storage media such as compact discs (CDs orCDROMs), digital video disc (DVD), Blu-Ray™, and the like, orcombinations thereof. In addition to these memory elements, the serverdevices 12 may further include file stores comprising a plurality ofhard disk drives, network attached storage, or a separate storagenetwork.

The computing devices 14 may include work stations, desktop computers,laptop computers, palmtop computers, tablet computers, portable digitalassistants (PDA), smart phones, and the like, or combinations thereof.Various embodiments of the computing device 14 may also include voicecommunication devices, such as cell phones or landline phones.

The communications network 16 may be wired or wireless and may includeservers, routers, switches, wireless receivers and transmitters, and thelike, as well as electrically conductive cables or optical cables. Thecommunications network 16 may also include local, metro, or wide areanetworks, as well as the Internet, or other cloud networks. Furthermore,the communications network 16 may include cellular or mobile phonenetworks, as well as landline phone networks or public switchedtelephone networks.

Both the server devices 12 and the computing devices 14 may be connectedto the communications network 16. Server devices 12 may be able tocommunicate with other server devices 12 or computing devices 14 throughthe communications network 16. Likewise, computing devices 14 may beable to communicate with other computing devices 14 or server devices 12through the communications network 16. The connection to thecommunications network 16 may be wired or wireless. Thus, the serverdevices 12 and the computing devices 14 may include the appropriatecomponents to establish a wired or a wireless connection.

The computer program of the present invention may run on the computingdevice or, alternatively, may run on one or more server devices 12.Thus, a first portion of the program, code, or instructions may executeon a first server device 12 or the computing device 14, while a secondportion of the program, code, or instructions may execute on a secondserver device 12 or the computing device 14. In some embodiments, otherportions of the program, code, or instructions may execute on otherserver devices 12 as well. For example, the database of inventoryrecordations may be stored on a memory element associated with theserver device 12, such that the inventory recordation for each user isremotely accessible for each use of the computer program (e.g., storedin the “cloud”). Alternatively, each inventory recordation may be storedon the memory element associated with the respective computing devicefor the inventory recordation. In embodiments where the inventoryrecordations are stored remotely, the user may authenticate theiridentity at various computing devices while still accessing and relyingon the same inventory recordation personal to the user.

Inventory Recordation

When activated and enabled on a computer, the software instantlycaptures and records an inventory recordation, also referred to hereinas a “snapshot,” of any and all computer processes or applications thatare currently running on the computer (regardless of whether the processis minimized, i.e., out of focus of the user, or maximized, i.e., infocus of the user). The present invention kills, blocks, deniesexecution of, or otherwise instructs the operating system to terminateexecution of any application or process not listed on the inventoryrecordation. It should be appreciated that “activation” of the software,as used herein, is not intended to equate to only installation ordownloading of the software. Instead, the software may toggle between“activation,” where the software is performing the blocking featuredescribed herein, and “deactivation,” where the software is running butis deactivated and not performing the blocking feature.

Each time the software is activated, a new inventory recordation of theopen processes or applications is performed and is merged, withoutduplication, with the prior inventory recordation. Thus, each inventoryrecordation that is performed is combined with previously-performedinventory recordations to create a cumulative inventory recordation.Therefore, when performing the blocking function described herein, thesoftware compares the process or application that is attempting to beexecuted (herein the “attempted process”) with the processes andapplications in the cumulative inventory recordation, i.e., theaggregate of the previous inventory recordations taken. If the attemptedprocess does not match a process or application in the cumulativeinventory recordation, then the attempted process is blocked, killed, orotherwise denied from running. In embodiments of the present invention,comparison of the processes or applications is performed, for example,by comparing the path and file name of the attempted process to thepaths and file names included in the cumulative inventory recordation.Other parameters, properties, or techniques for comparison of theprocess or application attempting to be performed to those processes orapplications stored in the cumulative inventory recordation can also beused.

The inventory recordation is personal to the user, in that at least aplurality of the applications listed on the inventory recordation wasadded while the program was in the training mode and was added inresponse to the user's attempt to execute the application in thetraining mode. Thus, the inventory recordation is not a universalwhitelist that is used for comparison/matching of applications for allcomputing devices and/or all users. Instead, the inventory recordationis specific to the particular computing device. Alternatively, as in anenterprise situation, the user may log on or otherwise authenticatetheir identity, and then the inventory recordation may be specific tothe authenticated user, as opposed to the computing device. Reference tothe inventory recordation being personal to the user encompasses both ofthe scenarios discussed above.

Referring to FIG. 3, the inventory recordation is an inventory orlisting of applications, including information uniquely identifying eachapplication. Although varying information may be used to identify theapplication, in embodiments of the present invention, the pathname forthe particular application is used, at the least, to uniquely identifythe application. A name for the application may also be used. As anexample, Internet Explorer™ is a commonly-used Internet browser with thepathname C:\Program Files\Internet Explorer\iexplore.exe (unless thefile explorer.exe is otherwise moved to a different folder by the userof the computing device). The information on the inventory recordationidentifying the Internet Explorer™ application is, at the least, thepathname, and this is the information that is used to compare ayet-to-be-approved application that the user is attempting to executewhile in the protected mode. The pathname is unique for the particularapplication, in that two different applications cannot have the samepathname.

As is known in the art, the majority of viruses or malware download to acomputing device through a temporary internet file (“TIF”). The folder aparticular TIF is assigned to by the operating system is random, suchthat the pathname assigned to the TIF is random. Therefore, it isstatistically highly unlikely that a malfeasant attempting to execute avirus or item of malware on a computing device would be able to guessthe pathname assigned by the operating system to the TIF containing thevirus/malware. This is especially accurate given that the pathnameincludes the user profile name (or, as sometimes the case, the computingdevice's name) in the pathname. Thus, the malfeasant would also need totarget a particular user to even have the user profile name correct inthe pathname. As most viruses and malware are deployed en masse in largenumbers by the malfeasant, and are not otherwise targeted to particularusers, the likelihood that the malfeasant would know the user profilename and be able to include in the pathname for the TIF containing thevirus/malware is extremely low.

Even for viruses that do not enter through a TIF, embodiments of thepresent invention perform substantially the same by listing uniqueidentifying information, such as the pathname, for the application onthe inventory recordation. For example, if a virus that did not downloadas a TIF but was otherwise named with an authentic application'spathname, such as Internet Explorer™, then execution of InternetExplorer™ using the pathname C: \Program Files\InternetExplorer\iexplore.exe would not execute the authentic application.Therefore, the virus/malware would be very evident to the user. Moreimportantly, it is generally difficult to spoof an authentic pathnamefor an application, which is why the vast majority of viruses aredownloaded to the computing device via the TIF.

It should be appreciated that plug-ins and add-ons often used during webbrowsing, such as, for example, Java™, Flash™, ActiveX™, etc., are notapplications executed by the operating system of the computing devicebut are instead embedded in the Internet browser application. Therefore,while the user is accessing an Internet browser, any plug-ins or add-onsthat attempt to be executed will not be blocked by the computer programof the present invention. However, in the event the plug-in or add-oncontains a virus or item of malware, upon the virus/malware attemptingto execute as an independent application, the computer program willblock said virus or malware if the protected mode is activated.Therefore, use of the present invention does not negatively affect theuser's web browsing experience.

In embodiments of the present invention, at least one and preferably aplurality of the applications listed on the inventory recordation arelisted by an administrator of the computer program and not as a resultof the user attempting to execute the application during the trainingmode. In essence, an established or safe applications list is preparedthat contains the information associated with non-virus or non-malwareapplications and processes that may be used by the computer user.Exemplary programs that are commonly used during computer use and thatare included on the established applications list include, withoutlimitation, printing and audio drivers, volume control, remote desktopclient, the user control panel, the task manager, backup, Java, andother like programs. The initial inventory recordation accessed by theprogram of the present invention upon the user's first use of theprogram includes the applications and processes in the establishedapplications list. Thus, as the user continually accesses programsthrough use of their computer, and those programs are added to thecumulative inventory recordation, the programs or applications in theestablished applications list are also included in the cumulativeinventory recordation. In particular, there are many applications thatthe user executes without realizing that the application is evenexecuting. For example, mmc.exe assists with managing plug-ins.Execution of the application by the user is likely unknown to mostusers. Other exemplary applications that may be listed as anadministrator application include, without limitation, printing andaudio drivers, volume control, remote desktop client, the user controlpanel, the task manager, backup applications, and other likeapplications. To address these less obvious applications executed by theoperating system on a regular basis, embodiments of the presentinvention compile a list of unique identifying information for theadministrator applications. In embodiments of the present invention, thelisting of administrator applications is less than two hundred, lessthan one hundred fifty, or less than one hundred applications. Thus, thelist of administrator applications is not a universal list of allpotential authentic applications that could be executed by any user butrather the discrete list of applications required for efficientoperation of the operating system. Notably, and as discussed in below,the computer program updates the inventory recordation to include thelisting of applications accessed by the user during the training mode.It is to be noted that although the established applications list isused as part of the cumulative inventory recordation, the particularprograms accessed by the user are also cumulatively added to thecumulative inventory recordation. Therefore, the present inventionappreciates that there are programs that many computer users do notrealize they use, such as a print execution program, but there are otherprograms that the particular user may access that are not otherwise onthe established applications list. The purpose of such is to maintain arelatively small cumulative inventory recordation for each user that isspecific to the user. This prevents reliance on a “whitelist” of allpossible valid programs on which viruses or malware can inadvertently beadded. Additionally, the computer program of embodiments of the presentinvention need only cross-reference the programs listed in thecumulative inventory recordation, and because it is a relatively smalllist particular to the user (except for the even smaller list ofestablished applications), the cross-referencing performed by thecomputer program of the present invention is significantly faster thanprior art anti-virus or malware programs.

As noted above, the inventory recordation may be stored locally orremotely, but in embodiments, the inventory recordation is storedremotely so as to allow access by the user via multiple computingdevices and to prevent hacking or other malicious access of theinventory recordation. In particular, when the computer program of thepresent invention is executed during a particular use time, theinventory recordation is stored locally on the computing device. Whenthe user exits or closes the computer program of the present invention,or the program is otherwise exited due to computing device inactivity bythe user, the inventory recordation is uploaded to a remote site. Whenthe computer program is again re-executed or the computing device isbooted, the inventory recordation that is stored remotely is downloadedto the computing device. In alternative embodiments, the inventoryrecordation can be uploaded to the remote storage site more or lessfrequently, and the frequency of uploading can be user-selected.

In sum, embodiments of the present invention advantageously kill, block,and deny from running, or being executed, unwanted or malicious computercode by having no exception to what applications may be executed whilethe software is activated. Alternatively stated, while the software isrunning, no application may be executed unless it is within thecumulative inventory recordation. Traditional antivirus software orcomputer firewalls include the ability of the user to grant exceptionsto certain applications, thereby allowing said accepted applications toalways run or be executed. Embodiments of the present invention do notallow for exceptions in any form or fashion if not otherwise listed inthe cumulative inventory recordation, which eliminates the risk ofexposure to malicious computer code that might be present in theapplication exceptions.

In embodiments of the present invention, the inventory recordation isalso password protected or requires some form of authentication toaccess it. This prevents a hacker from easily accessing the inventoryrecordation and modifying it to include pathnames corresponding toviruses or malware.

As illustrated in FIG. 7 at 116, the user may select to automaticallyallow all applications in the “Programs Files” folders to be added tothe inventory recordation. Additionally, as illustrated at 118 in FIG.7, the user may select to automatically allow all applications in theWindows Systems folders to be added to the inventory recordation.

Training Mode

While in the training mode, the computer program of the presentinvention executes any application instructed by the user and regardlessof whether the inventory recordation comprises information uniquelyidentifying the application. The computer program does not match orcompare the identifying information for the application to be executedagainst the identifying information for the applications listed on theinventory recordation for the respective user. Thus, while in thetraining mode, the computing device is susceptible to downloading andexecuting a virus or item of malware.

The user must train the computer program on what applications the userdesires to permanently be executable by the operating system. If theuser has not trained the computer program to include a particularapplication, and the application is not otherwise one of the discreteadministrator applications, then while in the protected mode, attemptedexecution of the application will be terminated.

The training of the computer program is the initial step of compilingthe inventory recordation personal to the user, as illustrated in Step200 of FIG. 2. As illustrated in FIG. 4, the user first selectivelyactivates the training mode, Step 202, using a computer user interface100 of the present invention detailed below and hereinafter referred toas a “smart icon.” Activation of the training mode requires affirmativeuser selection, which is in contrast to activation of the protected modeas detailed below.

Upon the training mode being activated, the user accesses each of theapplications the user normally uses, such as Microsoft Word™, Adobe™,etc., as shown in Step 204. Because the training mode is activated, eachaccessed application will be executed by the operating system.Additionally, the inventory recordation personal to the user is updatedto include information uniquely identifying the accessed application,such as the pathname for the application, as shown in Step 206. Once theinventory recordation is updated to include the accessed application,the computing device will execute the application at any time andregardless of the activated program mode. Notably, the computing devicewill execute the application while in the protected mode because thepathname for the application will be on the inventory recordation andthere will be a successful match, as discussed in detail below.

Should the pathname for the application change in the future due to anupdate or being moved on the computing device's operating system, thenthis will prevent execution of the application while in the protectedmode. This is because the new pathname attempting to be executed whilein protected mode is not on the inventory recordation. To remedy this,the user will activate the training mode using the smart icon and thenselect the application for execution. Upon execution of the applicationin the training mode, the inventory recordation will be updated toinclude the new pathname for the application.

Protected Mode

After the user has trained the computer program of the present inventionon the common applications accessed by the user so that the inventoryrecordation personal to the user is compiled, the protected mode isactivated or “ON”, as shown in Step 208 and illustrated in FIG. 5.Embodiments of the present invention contemplate two variations of theprotected mode, namely a “Smart” mode and an “Always On” mode, asillustrated in FIG. 6. Although both variations of the protected modeare discussed below in detail, for ease of reference, the following is abrief discussion.

In the “Smart” protected mode, the computer program toggles betweenmonitoring and not monitoring what applications the user requests to beexecuted depending on whether the user executes an application thatpresents a risk for further execution of a virus or item of malware(also referred to as “virus source applications”), such as an Internetbrowser or e-mail client application. If the at-risk application isexecuted, then the application monitoring and blocking features areactivated. In contrast, if the user is not running an application thatpresents a risk for execution of a virus (for example, the user isrunning Microsoft Word™), then the application monitoring and blockingfeatures are not activated.

Should the user forget to activate the software, embodiments of thepresent invention may automatically activate the software upon executionof virus source applications, as described above. It should beappreciated that the virus source applications or processes thatautomatically activate the software, i.e., that act as an initiator ofthe software, may include additional processes than described above, andreference to web browsers or e-mail clients is not intended to belimiting.

As is known, minimized applications that are not in focus by the userbut are still running on the user's computer can still be a source ofviruses. This is because, for example, a website can install viruses atany time while the application is running on the computer. The presentinvention recognizes this weakness and activates, or, as the case maybe, maintains activation of the software even when a web browser ore-mail client is minimized or otherwise out of focus. Thus, the defaultperformance mode for the software is that the software does notautomatically deactivate until all virus source applications, such asthe web browsers and e-mail clients, are closed (as opposed to merelyminimizing) Should the user close the browser or e-mail client, suchthat no virus source applications are running, then the software willautomatically deactivate. Should the user manually deactivate thesoftware to start or open an application that is not a virus sourceapplication, such as Microsoft Word, then the software will remaininactive until the user chooses to reactivate it or until the softwaredetects opening or running of a virus source application.

In even further alternative embodiments, the software may include auser-selected preference that is recommended for advanced users. In thispreference, the software automatically deactivates when a non-virussource application, such as Microsoft Word, gains focus or is otherwisemaximized. The software is reactivated when a virus source applicationgains focus. Therefore, unlike the default preference wherein thesoftware is activated when the virus source application is running,regardless of whether the virus source application is minimized ormaximized, the user-selected advance preference only activates thesoftware when a virus source application gains focus. Although thispreference does provide a slightly higher exposure to viruses due toviruses being able to infiltrate a computer system even when theInternet or a website is not actively being accessed, the user-selectedadvanced preference provides a more streamlined user experience. Becausethe risk of a virus from a non-active website is relatively low, theuser may desire this preference.

The “Always On” mode does not toggle between monitoring and notmonitoring the applications executed by the user. Instead, theapplication monitoring and blocking features are always activated whenin the “Always On” mode, regardless of whether the user activates anapplication that presents a risk for infection of a virus or item ofmalware.

In embodiments of the present invention, the “Smart” mode is the defaultprotected mode that is activated after the training mode discussed aboveis completed. The user may manually select the “Always On” mode shouldthe user desire to maintain the application monitoring and blockingfeatures at all times (except, of course, when the training mode isotherwise activated). It is contemplated that the “Always On” mode isbest used once the computer program of the present invention is welltrained, that is once the user has compiled the inventory recordationpersonal to the user over an extended period of time, such that newapplications to add to the inventory recordation are rare. Inalternative embodiments of the present invention, the user may selectwhich of the two variations of the protected mode the user desires toautomatically activate upon deactivation of the training mode.

The protected mode may be activated one of several different methods. Itshould be understood that because the protected mode is either of thetwo variations discussed above, namely the “Smart” mode and the “AlwaysOn” mode, activation of the protected mode activates one of these twovariations, depending on either the default or user-selectedpreferences. In a first method, the protected mode is automaticallyactivated by the computer program of the present invention after anelapsed period of time 102, as shown in the user-selected settings box104 of FIG. 7. In particular, while in the training mode, the programmonitors the period of time the training mode is activated or some otherperiod of time, such as the time from the when the user last accessedand executed an application. After a pre-set period of time has elapsed,the computer program automatically deactivates the training mode andactivates the protected mode without requiring the user to affirmativelyactivate the protected mode. The advantage of the automatic activationof the protected mode is that the user does not need to remember toactivate the protected mode. In embodiments of the present invention, adefault pre-set period of time 102 may be used or the user may have theoption of selecting another pre-set period of time. Exemplary pre-setperiods of time are thirty seconds, forty-five seconds, one minute,three minutes, five minutes, or ten minutes.

In a second method of activation of the protected mode, after thepre-set period of time has elapsed, the computer program presents aninterface to the user requesting if the user is finished with trainingthe computer program. An exemplary user interface is a balloon or otherpop-up requesting the user to confirm that the user is finished trainingthe program. If the user selects in the affirmative or “yes, I amfinished training the computer program,” then the computer programautomatically activates the program mode. If the user selects in thenegative or “no, I am not finished training the computer program,” thenthe computer program begins anew monitoring an elapsed period of time.

In a third method of activation of the protected mode, the user canmanually activate the protected mode via the smart icon 100. In a fourthmethod, the protected mode is automatically activated after a newapplication is detected, as illustrated at 120 in FIG. 7. In this fourthmethod, when the user trains the computer program to add a newapplication to the inventory recordation, the protected mode isautomatically activated after the new application is added. In a fifthmethod, the computer program can automatically monitor for the presenceof Internet activity and automatically activate the protected mode upondetection of said Internet activity. Other methods of activation of theprotected mode could also be employed by the computer program.

As can be appreciated, most of the use time of the computing device willbe while the protected mode is activated. In this mode, the user'sability to execute a virus or item of malware is significantlydiminished, if not completely removed. When the “Always On” variation ofthe protected mode is activated, any application that the user attemptsto execute is monitored and compared to the inventory recordationpersonal to the user. When the “Smart” variation of the protected modeis activated, any application that the user attempts to execute, whilean at-risk application is running, is monitored and compared to theinventory recordation personal to the user. For both variations of theprotected mode, if the application's unique identifying information isnot listed on the inventory recordation, then the computer program ofthe present invention instructs the operating system to terminateexecution of the application, as illustrated in FIG. 8.

In more detail and as illustrated at Step 210, the computer programreceives the user's instruction to activate a yet-to-be-approvedapplication, hereinafter referred to as an “unconfirmed application.”The computer program also receives information uniquely identifying theunconfirmed application, such as the application's pathname. Thecomputer program compares the information uniquely identifying theunconfirmed application with the information uniquely identifying theplurality of applications listed on the inventor recordation personal tothe user, as shown in Step 212. If the information for the unconfirmedapplication matches information for an application listed on theinventory recordation, then the application attempting to be executed isapproved for execution, as shown in Step 214. In such a case, thecomputer program allows the application to execute or otherwise does notinterfere with or prevent the operating system's execution of theapplication, such as by instructing the operating system to terminateexecution of the application. However, if the information identifyingthe application attempting to be executed does not match withinformation for an application listed on the inventory recordation, thenexecution of the application is prevented, as shown in Step 216 andillustrated in FIG. 8. In particular, the computer program of thepresent invention instructs the operating system to terminate executionof the application or otherwise prevent execution of the application bythe computing device. In embodiments of the present invention, if thecomputer program instructs termination of the application, the computerprogram will present a message, such as in the form of a pop-up orballoon notification 106 in FIG. 8 that informs the user that theapplication's execution was terminated. Alternatively or in addition,the smart icon may simply flash or briefly change colors to notify theuser of the blocked application. If the user was attempting to executewhat the user knew to be a legitimate application, this then informs theuser that the inventory recordation needs to be updated. The user thenactivates the training mode via the smart icon and executes theapplication in the training mode to effectuate updating of the inventoryrecordation.

Embodiments of the present invention have the advantage of not requiringthe user to respond to a prompt or request instructing whether anapplication should be executed or not. For example, prior artvirus/malware prevention programs frequently operate by identifying apotentially suspicious application and then presenting to the user aprompt requesting the user to confirm or not confirm that theapplication should be executed. This methodology for preventingvirus/malware execution fails for at least two reasons. First, manylegitimate applications are identified by the computer program as beingsuspicious, which results in a large percentage of false positives. Thislarge percentage of false positives then reduces user awareness of whatcould or could not be a virus or item of malware. Moreover, thisrequires the user to know, or at the least investigate, whether theapplication attempting to be executed and for which the user receivedthe prompt is a legitimate application. Many computer users will nothave the sophistication or knowledge to accurately confirm thelegitimacy of the application.

Second, because many virus/malware prevention programs operate bypresenting a prompt or request to the user to approve execution of theapplication, malfeasants know this and have mimicked the prompt orrequest interface of legitimate virus and malware prevention programs.Although there are many versions of mimicking a legitimate program, acommon prompt is to ask the user if it would like a particularapplication (one that is often well known, such as JAVA™) to be updated.If the user confirms the update (or sometimes even if the user onlyselects any input on the prompt), the application containing the virusis executed. Embodiments of the present invention, upon receiving theuser's selection to update the mimicked legitimate application, comparethe pathname of the application to the inventory recordation todetermine if the application is authentic and is approved for executionby the operating system.

As noted above, once an application is executed by the user in thetraining mode, such that the application is listed on the inventoryrecordation, there may be a circumstance where the application isupdated by an administrator or source of the application. Mostapplication updates do not result in the application being assigned adifferent pathname. However, it is foreseeable that some updatedapplications will be assigned a new pathname, such as if a major updateis made or if a new version of the application is issued. In theseinstances, the pathname or other unique identifying informationassociated with the updated application will be changed from the priorversion of the application, and as such, the unique identifyinginformation for the application will not be listed on the user'sinventory recordation. This will be evident to the user, as execution ofthe application while in the protected mode will be terminated.

Because the application is now identified with different uniqueinformation, the computer program of the present invention terminatesexecution of the application because it does not match identifyinginformation on the inventory recordation. As described above, the useris notified that execution of the application was terminated. Becausethe notification is provided close in time and immediately in responseto the user's attempt to execute the application, the user knows thatthe application information needs to be updated on the inventoryrecordation. The user will then activate the training mode and executethe application in the training mode, as described above.

“Smart” and “Always on” Variations of the Protected Mode

As noted above, the initially default to the “Smart” protected mode asthe preferred variation of the protected mode of embodiments of thepresent invention. In the Smart mode, the computer program monitors whatapplications the user requests to be executed. If the user executes anapplication that presents a risk for further execution of a virus oritem of malware, such as an Internet browser application, then theapplication blocking features described above for the protected mode areactivated. For example, the computer program would allow execution ofthe Internet browser application because it is listed on the inventoryrecordation. Because the browser is open on the computing device, therisk for executing a virus is significantly increased. Therefore, theSmart protected mode compares each new application to be executedagainst the inventory recordation, but this application monitoring andblocking feature is only activated when an at-risk application isrunning. In contrast, if the user is working on the computing device andexecutes an application that is not a risk for downloading and executinga virus or item of malware, such as Microsoft Word™, then theapplication execution features described above for the training mode areactivated, wherein each new application to be executed is not comparedto the inventory recordation.

Thus, the Smart program mode toggles between a first sub-mode whereinthe computer program is comparing the applications requested forexecution to the inventory recordation, and a second sub-mode, whereinthe computer program is not comparing the accessed applications to theinventory recordation. Upon the user attempting to execute applicationsknown to be a source for downloading and executing viruses, the Smartprotected mode toggles to the first sub-mode, wherein all applicationsattempted to be executed are compared to the inventory recordation forthe user. Exemplary applications known to be a source of viruses areInternet browsers and e-mail clients. However, all system or userinstalled software that communicates with the Internet (hereinafter alsoreferred to as “network-applications”), and thereby is subject toinherent exposure to malicious computer code, may automatically activateand enable the software. On the other hand, system and user installedsoftware that does not communicate with the Internet, and therefore, isnot subject to inherent exposure, does not necessarily activate andenable the software. It is to be appreciated that the Internet browseritself is not a source of viruses, but because the Internet browser isused to access data and potentially other applications, the execution ofthe Internet browser is a signal to the computer program to toggle theSmart protected mode to the first sub-mode of comparing all applicationsto be executed to the inventory recordation and terminating execution ifnot listed thereon.

In the second sub-mode where all applications are executed regardless iflisted on the inventory recordation, the computer program may eitherupdate the inventory recordation to include the accessed application,similar to the training mode described above, or may simply allowexecution of the application without updating the inventory recordation.In further alternatives, the user may select which of these two optionsthe user desires the computer program to perform.

In alternative embodiments, activation of the first sub-mode of theSmart protected mode further comprises comparing each application thatis executed and updating the inventory recordation with anynewly-executed applications to the extent that an application is not arisk for a virus. However, upon executing an application that places thecomputer at risk for a virus, the Smart protected mode toggles to thesecond sub-mode of comparing each application to be executed to theinventory recordation. The default of the computer program of thepresent invention is that the Smart mode toggles to the second sub-modeupon execution of any Internet browser or any e-mail client. Thecomputer program may also allow the user the option to deselect eitherof these at-risk applications or add additional at-risk applications.

Although not required, it is expected that the Smart protected mode willbe used for a discrete period of time after the user initially installsthe computer program of the present invention. For example, the Smartprotected mode may be used for two weeks, after which the computerprogram automatically activates the “Always On” protected mode. Thecomputer program may include a default time period after installation ofthe computer program, or the computer program may offer the user anoption to select a period of time different than the default timeperiod. A default period of time of several days to several weeks islong enough that most applications the user will ever execute on thecomputing device will be accessed during the period of time due tonormal use of the computing device by the user. During this time period,the user is essentially training the computer program by executingapplications that are then added to the user's inventory recordation.After the default or user-selected time period has expired and thecomputer program activates the “Always On” protected mode, should theuser attempt to execute an application that is not on the inventoryrecordation, the user can simply activate the training mode and executethe application in the training mode to update the inventoryrecordation.

As also discussed above, when the “Always On” variation of the protectedmode is activated, the computer program is continually monitoring eachapplication requested by the user to be executed. Should the applicationnot be listed on the inventory recordation, execution of the applicationis blocked, as illustrated in FIG. 8. The application monitoring andblocking features are implemented regardless of other applicationsexecuted on the computing device, such as an Internet browser or otherat-risk application.

Upon initial installation of the computer program, the training mode isautomatically activated or, alternatively, the user is instructed toactivate the training mode. The user is then instructed to execute allthe applications that the user accesses on a regular basis. Execution ofeach of the applications compiles the inventory recordation personal tothe user. After the user has completed executing their regularly-usedapplications, the user is instructed to activate the preferred variationof the protected mode, which for new users is preferably the Smartprotected mode. Once the Smart protected mode is activated, the useruses the computing device as they normally would for an extended periodof time, such as several days to several weeks. During activation of theSmart protected mode, the blocking of all applications will only beinitiated upon the user executing an at-risk application, such as anInternet browser. Upon executing the at-risk application, the Smartprotected mode toggles to the second sub-mode of instructing terminationof execution of all applications not listed on the inventoryrecordation. If an at-risk application is not executed by the user whilein the Smart protected mode, the computer program continues thecompiling of the inventory recordation by continually monitoring andcomparing each accessed application to the current inventory recordationand updating the inventory recordation with any newly-executedapplications.

After the extended training time afforded via the Smart protected modeis over, the user may optionally activate the Always On protected mode(or, alternatively, the computer program automatically activates theAlways On protected mode after the expiration of a pre-set period oftime, as described above). Once in the Always On protected mode, allapplications not listed on the inventory recordation are blocked (i.e.,execution is instructed to be terminated), regardless of whether theuser has executed an at-risk application, such as an Internet browser.Off Mode

In yet further embodiments of the present invention, the user mayactivate a third program mode, wherein the application executionblocking features described above for the protected mode are permanentlyOff, and the program mode does not change until selective activation bythe user. This “Off” program mode essentially permanently turns off anyvirus/malware prevention feature. Because the Off program mode placesthe computing device at risk for executing a virus or item of malware,embodiments of the present invention may require the user to enter apassword or perform some advanced steps to activate this program mode.This would then prevent accidental activation of the off program mode oractivation by a lesser-skilled user.

Additional Features

Embodiments of the present invention provide several user-selectableoptions to customize the computer program to the user. In a firstoption, the user may select when the computer program is activated, andspecifically, when the protected mode is activated, as illustrated at110 in FIG. 7. A default preference is that the protected mode isactivated anytime the computing device is powered on or restarted or theoperating system is booted.

As is known in the art, many updates to the operating system and toapplications are automatically pushed to the computing device.Similarly, backups of the computing device are often routinely andautomatically performed. To address these automatic updates and backups,the computer program offers the option of deactivating the protectedmode upon the computing device being idle for a pre-set period of time,as illustrated at 112 in FIG. 7. The user has the option of selectingthe pre-set period of time, but exemplary idle times are five minutes,ten minutes, thirty minutes, or greater than or equal to one hour.Alternatively, the pre-set idle time can be instructed to be the same asthe pre-set time before which the screen saver of the computing deviceactivates.

If the computing device is idle and the protected mode is deactivated,then the training mode is automatically activated. Any updates that arepushed to the computing device are automatically compared to the currentinventory recordation and added if the update has a new pathname for theapplication. Thus, the computer program of the present invention doesnot interfere with routine operation and maintenance of the computingdevice. Upon the user accessing the computing device, i.e., terminatingthe device being idle, the protected mode is automatically activated.

Similar to the password feature while in the off program mode, anotherfeature of embodiments of the present invention is a user-selectablerequired password or authentication procedure to activate the trainingmode. In particular, the computer program may present a user-selectableoption for requiring that a password be submitted upon receipt of theuser's request to activate the training mode (or otherwise deactivatethe protected mode). The training mode would then not be activated bythe computer program until entry of the correct password or submissionof the required authentication. This prevents a child or unskilled userfrom activating a mode that would place the computing device at risk ofexecuting a virus or item of malware. This feature may also be desirablein an enterprise environment, wherein the administrator selects thisoption and an administrator password is required to deactivate theprotected mode.

The user may also select whether to receive balloon notifications of theblocking of an application, which is illustrated at 108 in FIG. 8. Inthe user preferences box 104 of FIG. 7, the user may enable balloonnotifications, as illustrated at 114 in FIG. 7. Regardless of whetherballoon notifications are enabled, the smart icon 100 flashes when anapplication is blocked so as to visually notify the user of the blockedapplication.

Embodiments of the present invention also allow the user to view theinventory recordation personal to the user, including the informationuniquely identifying each of the applications. This feature may bebeneficial to skilled users. The computer program may also require apassword to modify the inventory recordation or may altogether preventmanual modification of the inventory recordation (i.e., not otherwisecompiling the inventory recordation as described above).

Smart Icon

The computer program of embodiments of the present invention uses thesmart icon 100 as a user interface. Use of the smart icon provides foran unobtrusive user experience. Although the smart icon 100 isspecifically described herein with respect to the above-describedvirus/malware prevention system, the smart icon could be used for avariety of computer programs implementing various functions.

As illustrated in FIG. 5, the smart icon 100 is relatively smallcompared to the overall display size of the computing device, and assuch, the smart icon 100 is approximately 50×50 pixel, although it canbe enlarged or made smaller based upon user preference. In embodimentsof the present invention, the smart icon offers unlimited left and/orright-click user options. The smart icon 100 is not simply a shortcut tothe application, and right-clicking of the icon does not simply presentstandard “shortcut” options, such as “open,” “cut,” “copy,” etc.Instead, the smart icon 100 is the application itself and left and/orright clicking the smart icon 100 presents a menu 122 of user-selectableapplication operations.

In Microsoft Windows™, the smart icon 100 is a Microsoft Windows Formwith the ControlBox set to “False” and FormBorderStyle set to “None.”The smart icon 100 exhibits a transparent background with an overlay ofa standard software icon. The smart icon thus visually appears as astandard desktop icon, while giving it the ability to offer theunlimited left and/or right-click user options. This includes, but isnot limited to, the activation and deactivation of the particularprogram mode, as illustrated at 122 in FIG. 6. The relatively small sizeof the smart icon allows the user to easily activate and deactivate thetraining mode or any other program mode while remaining unobtrusive tothe user experience. Upon left click of the smart icon 100, theappearance of the smart icon toggles between an image that representsthe protected mode being “active” (FIG. 5), and an image that representsthe protected mode being “inactive” (i.e., the training mode isactivated) (FIG. 4). For each successive left mouse click, the protectedmode is activated or deactivated, respectively.

In one embodiment, the smart icon 100 is located in one of the fourcomputer monitor corners, as selected by the user, and is always on topof all other program windows (FIG. 5). In other embodiments, the smarticon can be moved or dragged anywhere on the computer desktop by theuser to ensure the unobtrusive user experience. Other embodimentsinclude, but are not limited to, placing the smart icon in the Task Baror Tray Menu area of the desktop screen. When the user performs a rightclick on the smart icon, the menu 122 appears that allows the user tomanipulate the various user-controlled elective options, as describedabove and as illustrated in FIG. 6.

Whenever a new application that is not listed on the inventoryrecordation is initiated and detected by the computer program, the smarticon 100 temporarily flashes to alert the user that a new application isattempting to run, start, or execute. As described above, the computerprogram instructs the operating system to simultaneously terminateexecution of the application when in the protected mode. In addition toor as an alternative to the smart icon flashing, the computer programmay present the balloon 108 to the user noting that an application'sexecution has been terminated, as illustrated in FIG. 8. As mentionedabove, this will inform the user to activate the training mode if theblocked application was a legitimate application the user was attemptingto access but that was not otherwise listed on the inventoryrecordation.

Although the invention has been described with reference to theembodiments illustrated in the attached drawing figures, it is notedthat equivalents may be employed and substitutions made herein withoutdeparting from the scope of the invention as recited in the claims.Embodiments of the present invention may, prior to allowing execution ofan application, perform a comparison of the application to a list ofknown viruses/malware. This would be a secondary defense to insuringthat the computing device does not execute a virus. However, this willalso use up additional processing power of the computing device, as thelist of known viruses on a day-to-day basis is very large (e.g.,multiple tens of thousands), and comparison of the yet-to-be-approvedapplication to the list of known viruses will require more time thancomparison of the application to the inventory recordation.

Having thus described various embodiments of the invention, what isclaimed as new and desired to be protected by Letters Patent includesthe following:

What is claimed is:
 1. A computer-implemented method comprising:compiling, by a processor of a computer, a listing of processes approvedfor execution by the processor while a protected mode of the computer isactivated; receiving, by the processor, a request to execute a networkapplication; activating, by the processor, the protected mode inresponse to receiving the request to execute the network application;executing, by the processor, the network application; receiving, by theprocessor, a request to execute a process that is different than thenetwork application while the protected mode is activated; determining,by the processor, whether the process is among the listing of processesapproved for execution by the processor while the protected mode isactivated; in response to determining that the process is among thelisting of processes approved for execution by the processor while theprotected mode is activated, executing, by the processor, the processwhile the protected mode is activated; and in response to determiningthat the process is not among the listing of processes approved forexecution by the processor while the protected mode is activated,denying, by the processor, execution of the process while the protectedmode is activated.
 2. A non-transitory computer-readable storage mediumwith an executable program stored thereon, wherein the program instructsa processor of a computer to perform the steps of: compiling a listingof processes approved for execution by the processor while a protectedmode of the computer is activated; receiving a request to execute anetwork application; activating the protected mode in response toreceiving the request to execute the network application; executing thenetwork application; receiving a request to execute a process that isdifferent than the network application while the protected mode isactivated; determining whether the process is among the listing ofprocesses approved for execution by the processor while the protectedmode is activated; in response to determining that the process is amongthe listing of processes approved for execution by the processor whilethe protected mode is activated, executing the process while theprotected mode is activated; and in response to determining that theprocess is not among the listing of processes approved for execution bythe processor while the protected mode is activated, denying executionof the process while the protected mode is activated.
 3. Thenon-transitory computer-readable storage medium of claim 2, wherein theprogram instructs the processor of the computer to perform the furtherstep of: deactivating the protected mode in response to determining thatthe network application is no longer executing.
 4. The non-transitorycomputer-readable storage medium of claim 2, wherein determining whetherthe process is among the listing of processes approved for execution bythe processor while the protected mode is activated comprises comparinga path and file name associated with the process with respective pathsand file names associated with the listing of processes.
 5. Thenon-transitory computer-readable storage medium of claim 2, wherein theprogram instructs the processor of the computer to perform the furtherstep of: generating, for output on a display device, display datarepresenting a graphical user interface, wherein the graphical userinterface indicates whether or not the protected mode of the computer isactivated.
 6. The non-transitory computer-readable storage medium ofclaim 5, wherein the display data representing the graphical userinterface is configured for viewability over all other executingprocesses and applications.
 7. The non-transitory computer-readablestorage medium of claim 5, wherein the program instructs the processorof the computer to perform the further step of: adjusting the displaydata representing the graphical user interface in response to theprocessor denying execution of one or more processes while the protectedmode of the computer is activated.
 8. The non-transitorycomputer-readable storage medium of claim 7, wherein adjusting thedisplay data representing the graphical user interface comprisesgenerating a flashing indicator as at least a portion of the displaydata representing the graphical user interface.
 9. The non-transitorycomputer-readable storage medium of claim 7, wherein adjusting thedisplay data representing the graphical user interface comprisesgenerating a user-option to execute the one or more processes that weredenied execution as at least a portion of the display data representingthe graphical user interface.
 10. A computing system comprising: memorycomprising executable instructions; and a processor operativelyconnected to the memory, the processor configured to execute theexecutable instructions in order to effectuate a method comprising:compiling a listing of processes approved for execution by the processorwhile a protected mode of the computing system is activated; receiving arequest to execute a network application; activating the protected modein response to receiving the request to execute the network application;executing the network application; receiving a request to execute aprocess that is different than the network application while theprotected mode is activated; determining whether the process is amongthe listing of processes approved for execution by the processor whilethe protected mode is activated; in response to determining that theprocess is among the listing of processes approved for execution by theprocessor while the protected mode is activated, executing the processwhile the protected mode is activated; and in response to determiningthat the process is not among the listing of processes approved forexecution by the processor while the protected mode is activated,denying execution of the process while the protected mode is activated.11. The computing system of claim 10, wherein the processor isconfigured to execute the executable instructions to effectuate themethod further comprising: deactivating the protected mode in responseto determining that the network application is no longer executing. 12.The computing system of claim 10, wherein determining whether theprocess is among the listing of processes approved for execution by theprocessor while the protected mode is activated comprises comparing apath and file name associated with the process with respective paths andfile names associated with the listing of processes.
 13. The computingsystem of claim 10, wherein the processor is configured to execute theexecutable instructions to effectuate the method further comprising:generating, for output on a display device, display data representing agraphical user interface, wherein the graphical user interface indicateswhether or not the protected mode of the computer is activated.
 14. Thecomputing system of claim 13, wherein the display data representing thegraphical user interface is configured for viewability over all otherexecuting processes and applications.
 15. The computing system of claim13, wherein the processor is configured to execute the executableinstructions to effectuate the method further comprising: adjusting thedisplay data representing the graphical user interface in response tothe processor denying execution of one or more processes while theprotected mode of the computer is activated.
 16. The computing system ofclaim 15, wherein adjusting the display data representing the graphicaluser interface comprises generating a flashing indicator as at least aportion of the display data representing the graphical user interface.17. The computing system of claim 15, wherein adjusting the display datarepresenting the graphical user interface comprises generating auser-option to execute the one or more processes that were deniedexecution as at least a portion of the display data representing thegraphical user interface.